Shorter Reads

Cathay Pacific, British Airways, easyJet – what’s the connection?

First (obviously) they are all airlines. Second, they have all had a serious data breach resulting in an investigation by the Information Commissioner’s Office.

1 minute read

Published 22 May 2020

Authors

Share

Key information

  • Specialisms
  • Dispute Resolution
  • Business
  • Services
  • Data Protection
  • Corporate reputation management

In March 2020 Cathy Pacific was fined £500,000, the maximum under the pre-GDPR law, for various security defects which enabled a hacker to gain access to the personal data of over 9.4 million customers worldwide. In July 2019 The ICO served notice on BA that intended to impose a fine of over £180 million, representing 1.5% of worldwide turnover, for customer data being diverted to a false site affecting over 500,000 customers. BA are contesting this. Now in May 2020 easyJet has announced that a sophisticated cyber attack has resulted in the email and travel details of around 9 million customers (Including credit card details for a small number) being compromised. This seems to have been discovered in January but at present it is not known exactly when the attack took place.

Another common feature is that these are all large consumer service businesses which are expected to apply the very highest standards of data security, so any lapse resulting in a breach, even if it is claimed that it could not have been anticipated, is likely to meet with little sympathy. easyJet’s total revenue in 2019 was £6.4 billion, so a 1.5% fine, similar to BA, would be £96 million.

An interesting question is whether, in addition to the mitigating factors of levels of security applied, diligence in investigation and cooperation with the ICO, any additional mitigation will result from the Covid-19 pandemic resulting in airline travel being decimated. The argument will no doubt be made, but as several commentators have highlighted, that logic would suggest that in times where the airline was enjoying strong performance, the fine should be increased.

Whatever approach the ICO decides to take, easyJet can expect any fine to be significant. This clearly comes at a very unwelcome time for the airline, given the state of the industry – and its outlook over the next 12-24 months – but compared to many of its peers, easyJet appears to be in a fair condition financially (relatively speaking). Having reportedly drawn down £600m in loans from the Bank of England, and deferred contracts for new aircraft, to shore-up its cash position, a modest number of domestic flights are scheduled to re-start in June.

The fact that this announcement has only just been made and a full investigation by the ICO has not yet got underway may be ominous – in these circumstances it is often the case that the extent of the breach turns out to be worse rather than better than was originally reported. This data breach story therefore seems to have a long way to go yet.

Message us on WhatsApp

Related latest updates
PREV NEXT

Related content

Arrow Back to Insights

Shorter Reads

Cathay Pacific, British Airways, easyJet – what’s the connection?

First (obviously) they are all airlines. Second, they have all had a serious data breach resulting in an investigation by the Information Commissioner’s Office.

Published 22 May 2020

Associated sectors / services

Authors

In March 2020 Cathy Pacific was fined £500,000, the maximum under the pre-GDPR law, for various security defects which enabled a hacker to gain access to the personal data of over 9.4 million customers worldwide. In July 2019 The ICO served notice on BA that intended to impose a fine of over £180 million, representing 1.5% of worldwide turnover, for customer data being diverted to a false site affecting over 500,000 customers. BA are contesting this. Now in May 2020 easyJet has announced that a sophisticated cyber attack has resulted in the email and travel details of around 9 million customers (Including credit card details for a small number) being compromised. This seems to have been discovered in January but at present it is not known exactly when the attack took place.

Another common feature is that these are all large consumer service businesses which are expected to apply the very highest standards of data security, so any lapse resulting in a breach, even if it is claimed that it could not have been anticipated, is likely to meet with little sympathy. easyJet’s total revenue in 2019 was £6.4 billion, so a 1.5% fine, similar to BA, would be £96 million.

An interesting question is whether, in addition to the mitigating factors of levels of security applied, diligence in investigation and cooperation with the ICO, any additional mitigation will result from the Covid-19 pandemic resulting in airline travel being decimated. The argument will no doubt be made, but as several commentators have highlighted, that logic would suggest that in times where the airline was enjoying strong performance, the fine should be increased.

Whatever approach the ICO decides to take, easyJet can expect any fine to be significant. This clearly comes at a very unwelcome time for the airline, given the state of the industry – and its outlook over the next 12-24 months – but compared to many of its peers, easyJet appears to be in a fair condition financially (relatively speaking). Having reportedly drawn down £600m in loans from the Bank of England, and deferred contracts for new aircraft, to shore-up its cash position, a modest number of domestic flights are scheduled to re-start in June.

The fact that this announcement has only just been made and a full investigation by the ICO has not yet got underway may be ominous – in these circumstances it is often the case that the extent of the breach turns out to be worse rather than better than was originally reported. This data breach story therefore seems to have a long way to go yet.

Associated sectors / services

Authors

Need some more information? Make an enquiry below.

    Subscribe

    Please add your details and your areas of interest below

    Specialist sectors:

    Legal services:

    Other information:

    Jurisdictions of interest to you (other than UK):

    Article contributor

    Enjoy reading our articles? why not subscribe to notifications so you’ll never miss one?

    Subscribe to our articles

    Message us on WhatsApp

    Please note that Collyer Bristow provides this service during office hours for general information and enquiries only and that no legal or other professional advice will be provided over the WhatsApp platform. Please also note that if you choose to use this platform your personal data is likely to be processed outside the UK and EEA, including in the US. Appropriate legal or other professional opinion should be taken before taking or omitting to take any action in respect of any specific problem. Collyer Bristow LLP accepts no liability for any loss or damage which may arise from reliance on information provided. All information will be deleted immediately upon completion of a conversation.

    I accept Close

    Close
    Scroll up
    ExpandNeed some help?Toggle

    Get in touch

    Get in touch using our form below.